Splunk App for DSPT Compliance

This app has been created to assist in yearly compliance to the Data Security and Protection Toolkit (DSPT). The DSPT Audit applies.

Features

• Recurrent retrieval of cyber alerts from feeds to enrich data analysis

• Dashboards to ease compliance with the DSPT for audit purposes:

  Dashboard Name	Description
  Overview	General overview of monitored data
  Administrator	Audit admisitrator activity required for DSPT
  User	Audit user activity required for DSPT
  Host	Audit hosts required for DSPT
  Malware	Audit malware activity required for DSPT
  Network	Audit & Monitor network activity
  VPN	Audit & monitor vpn activity
  Cyber Alerts	Cyber Alerts details
  Evidence Questionnaire	Enables users to fill in the evidence questionnaire

Getting Started

Requirements

• Splunk Common Information Model App
• Lookup File Editor
• Accelerated Data Models:

1. Authentication
2. Change
3. Endpoint
4. Intrusion Detection
5. Malware
6. Network Sessions
7. Network Traffic
8. Web

Data required to fully utilise this app:

• Active Directory
• Edge Firewalls
• Windows Event Logs
• Windows Update Logs
• Windows Host Mon (OS Stanza)
• Anti Virus Logs
• VPN Logs

Installation

Please refer to the Splunk Documentation for guidance on installing the Add-On in your environment. The app needs to be installed on the SH tier.

Configure Cyber Alerts Indexing

By default the app comes with a pre-configured and disabled input named main, that will daily fetch cyber alerts via NHS REST API and store them in the default index.

For customizations or additional feeds, from your Splunk instance Web Interface:

• Browse to Settings / Data Inputs
• Select Splunk App for DSPT Compliance and provide the following info:
  • Name of the input
  • REST API endpoint to fetch cyber alerts
  • Enable Checkpoint - to align with your events duplication policy
  • (Optional) More settings - to specify host, interval, index and sourcetype

Dear admins, please first enable the input, if you decide to store cyber alerts in another index, please make sure you update the macro default_index with Definition such as index=<YOUR_INDEX>

Usage

Once installed, from your Splunk instance Web Interface, select the app DSPT Compliance and navigate through the dashboards to verify content.

The app aims to assist in DSPT asertions where IT staff are asked to regularly review certain activity types or provide evidence against ascertions. Where a monitoring requirement is required the dashboards found within the 'Audit" drop down can be used. Where Evidence is required, reports can be found to faciilitate the capture of required information.

Troubleshooting

Useful SPL searches to:

• Verify Cyber Alerts indexing index=_internal nhs_cyberalerts.py
• Verify the index has been populated with Cyber Alerts index=main

  Please replace main with the index specified in the configuration and make sure the time range is set on All time

Contributing

If you would like to contribute to this app, see CONTRIBUTING.

References

• NHS Cyber Alerts API

Credits

App has been developed by Kevin Pyart, Senior Splunk SE (UK Public Sector)

For Support please contact [email protected]

License

https://www.apache.org/licenses/LICENSE-2.0.txt

License Copyright 2021 Splunk Inc.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.